Project

General

Profile

Bug #167

Sylpheed does not check SSL certificate hostname

Added by Andrew Ayer over 8 years ago. Updated 2 months ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
02/24/2014
Due date:
% Done:

0%

Estimated time:

Description

When Sylpheed connects to an IMAP/SMTP/POP server over SSL, it does not check the hostname on the SSL certificate. This is a major security problem, because it means an attacker can man-in-the-middle a SSL connection by purchasing a valid certificate for his/her own domain and using it in the attack. Since the certificate is valid, Sylpheed accepts it, even though it's not for the hostname Sylpheed thinks it's connecting to.

The attached patch fixes the problem by making sure the name on the certificate matches the hostname Sylpheed is connecting to. The code to properly check a certificate's hostname with OpenSSL is not simple, so I used the MIT-licensed example code provided here: https://github.com/iSECPartners/ssl-conservatory


Files

sylpheed-check-ssl-hostname.patch (7.85 KB) sylpheed-check-ssl-hostname.patch Andrew Ayer, 02/24/2014 03:59 AM
#1

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from New to Confirmed
  • Assignee set to Hiroyuki Yamamoto
  • Target version set to 3.4

Hello,

Thanks for the patch. I will add the SSL certificate hostname check in the next 3.4 release.
(and sorry about not replying your e-mail you have sent last month.)

#2

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from Confirmed to In Progress
#3

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from In Progress to Resolved

Fixed in r3318:3323.

  • separated additional code to independent files because of different license
  • modified naming convention to match LibSylph
  • used X509_V_ERR_APPLICATION_VERIFICATION to represent hostname mismatch
  • modified SOCKS proxy code to validate with endpoint hostname
#4

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from Resolved to In Progress

It was found that the patch does not check wildcard certificate (*.some.domain) at all.
I'll add it until next release.

#5

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from In Progress to Resolved

Fixed in 3.4.0rc.

#6

Updated by Hiroyuki Yamamoto over 8 years ago

  • Status changed from Resolved to Closed
#7

Updated by boddy massage 2 months ago

We are one of the best body massage service providers in bangalore. Call us for female to male full body massage. We are Offering professional full body massage in bangalore.

http://boddymsg.com/
http://boddymsg.com/services.html
http://boddymsg.com/contact.html
http://boddymsg.com/body_to_body_msg_bang.html
http://boddymsg.com/female_to_male_msg.html
http://boddymsg.com/spa_near_mebang.html
http://boddymsg.com/swedish_msg_bang.html
http://boddymsg.com/ban_msg_center.html
http://boddymsg.com/erotic_msg_bang.html
http://boddymsg.com/hot_stone_massage.html
http://boddymsg.com/full_body_msg.html
http://boddymsg.com/happy_ending_msg.html
http://boddymsg.com/ladies_parlour_me.html
http://boddymsg.com/deep_tissue_msg.html
http://boddymsg.com/female_to_male.html
http://boddymsg.com/body_msg.html
http://boddymsg.com/sensual_msg.html
http://boddymsg.com/body_to_body_spa_nearme.html
http://boddymsg.com/aromatherapy_msg_bang.html
http://boddymsg.com/thai_spa_near_me.html
http://boddymsg.com/nuru_msg_bangalore.html
http://boddymsg.com/msg_center_near_me_bangalore.html
http://boddymsg.com/couples_msg_bang.html
http://boddymsg.com/body_msg_spa_near_me.html
http://boddymsg.com/msg_par_near_me.html
http://boddymsg.com/carn_therapy.html
http://boddymsg.com/msg_spa_near_me.html
http://boddymsg.com/massage_spa.html
http://boddymsg.com/sarjapura.html
http://boddymsg.com/jigani.html
http://boddymsg.com/chandapura.html
http://boddymsg.com/anekal.html
http://boddymsg.com/attibele.html
http://boddymsg.com/madiwala.html
http://boddymsg.com/bommanahalli.html
http://boddymsg.com/yaswanthpur.html
http://boddymsg.com/yelahanka.html
http://boddymsg.com/mathikere.html
http://boddymsg.com/jalahalli.html
http://boddymsg.com/kammanahalli.html
http://boddymsg.com/ramamurthy_nagar.html
http://boddymsg.com/banaswadi.html
http://boddymsg.com/kalyan_nagar.html
http://boddymsg.com/bellundur.html
http://boddymsg.com/sadashivanagar.html
http://boddymsg.com/frazer_town.html
http://boddymsg.com/rajaji_nagar.html
http://boddymsg.com/malleshwaram.html
http://boddymsg.com/jaya_nagar.html
http://boddymsg.com/basavangudi.html
http://boddymsg.com/indira_nagar.html
http://boddymsg.com/KR_Market.html
http://boddymsg.com/KR_Puram.html
http://boddymsg.com/koramangala.html
http://boddymsg.com/marathahalli.html
http://boddymsg.com/bannerghatta_road.html
http://boddymsg.com/hebbal.html
http://boddymsg.com/JP_nagar.html
http://boddymsg.com/HSR_layout.html
http://boddymsg.com/lalbagh.html
http://boddymsg.com/electronic_city.html
http://boddymsg.com/whitfield.html
http://boddymsg.com/brookefield.html
http://boddymsg.com/banashankari.html
http://boddymsg.com/majestic.html
http://boddymsg.com/shivaji_nagar.html
http://boddymsg.com/victoria_layout.html
http://boddymsg.com/jayanagar.html
http://boddymsg.com/all_over_bangalore.html
http://boddymsg.com/bangalore.html
http://boddymsg.com/index.html
http://kamasutramsg.in/
http://kamasutramsg.in/index.html

Also available in: Atom PDF